E4.2.1. The organizations involved in the
development, fielding, operation, and maintenance of secure IT systems include
the acquisition and maintenance organizations, system operator(s), DAA(s), and
the users. The key roles in these organizations involved in the C&A
process, are the program manager of the organization responsible for the
system i.e., the system owner, the DAA, the CA, and the user representative.
The organization with engineering and funding responsibility for the system,
may change, as a system progresses through the life-cycle phases. During
acquisition, this responsibility may be the acquisition organization that will
be represented by the system’s acquisition program manager. During the
system’s operations and maintenance phase that responsibility may be the
system manager. In the case of a major upgrade, the system may be turned over
to a maintenance organization. The upgrade program manager would then
represent the maintenance organization. The DAA should be a senior member of
the operational chain-of-command where the system is operating. The system
users may be part of a single organization or a large diverse community. In
either situation, for DITSCAP purposes, the user representative will represent the
users interests.

E4.2.1.1. The key parties throughout the DITSCAP are the
program manager, the DAA, the CA, and the user representative. They shall
reach agreement during phase 1 “negotiation” and approve the SSAA. During
phases 2, 3, and 4, if the system is changed, or any of the agreements
delineated in the SSAA are modified, the four key parties return to phase 1
negotiation and subsequent revision of the SSAA.

E4.2.1.2. The CA, the ISSO, the threat
developer, and the security working groups shall support the C&A
process. They provide the security technical expertise to support the DAA, the program manager, and the user
representative.

E4.2.1.3. The DITSCAP roles, shown in
table E4-1, are described in paragraphs E4.2.2. through E4.2.4. below. The
discussion describes the functional relationships and integration of
these roles, but is not intended to describe organization or command
functions. During the life-cycle of a system, some of these roles may be
assumed by a variety of organizations. In some cases, the three roles may be
performed by three separate organizations. In other cases, some roles may be
combined; i.e., the user representative and the program manager roles may be performed in the same
organization.

Table E4-1. Management
Responsibilities by DITSCAP Phase.

Phase

Program
Manager

DAA and CA

User
Representative

Phase 1

Initiate security dialogue with DAA, the CA, and the user
representative.Define system schedule and budget.Define and/or
validate system performance, availability, and functionality
requirements.Support DITSCAP tailoring and level of effort
determination.Draft or support drafting of the SSAA.Reach
agreement on the SSAA.Approve the SSAA.

Define ITSEC accreditation requirements.Obtain threat
assessment.Begin vulnerability and risk assessments.Assign the
CA.Support DITSCAP tailoring and determine the level of
effort.Draft or support drafting of the SSAA.Reach agreement on
the SSAA.Approve the SSAA.

Validate and/or define system performance, availability and
functionality requirements.Support DITSCAP tailoring and level of
effort determination.Reach agreement on the SSAA.Approve the SSAA

Phase
2

Review the SSAA.Develop system or system
modifications.Support certification actions.Review certification
results.Revise system as applicable.

Review the SSAA.Evaluate developing system.CA
performs certification actions.CA assesses vulnerabilities.CA
reports results to the program manager, the DAA, and the user
representative.Maintain the
SSAA.

Review SSAA periodically.Operate
system as described in the SSAA.Maintain an acceptable level of
residual risk.Submit proposed changes to the user representative, the
ISSO, the DAA, and the CA, as applicable.Support compliance validation.

Review the SSAA.Review proposed
changesOversee compliance validation.

Review the SSAA.Oversee system
operation as described in the SSAA.Maintain an acceptable level of
residual risk.Continuously review threat, system vulnerabilities and
residual risk.Review and approve proposed changes.Submit
significant changes to the DAA and the CA.Perform compliance validation
actions.